AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-10-16 · Documentation low

File: singlesignon/latest/userguide/identity-center-customer-managed-keys.md

Summary

Restructured documentation for configuring KMS keys in IAM Identity Center, including clearer section headers, consolidated steps for changing key configurations, and added explicit AWS CLI command examples. Moved critical permissions validation warning to a dedicated 'Important' section.

Security assessment

The changes focus on improving clarity and usability of customer-managed KMS key configuration documentation. While KMS key management is inherently security-related, there is no evidence these changes address a specific vulnerability or incident. The 'Important' section about validating permissions reinforces security best practices but does not indicate a newly discovered issue.

Diff

diff --git a/singlesignon/latest/userguide/identity-center-customer-managed-keys.md b/singlesignon/latest/userguide/identity-center-customer-managed-keys.md
index 8d3b28c06..06ea77a6c 100644
--- a//singlesignon/latest/userguide/identity-center-customer-managed-keys.md
+++ b//singlesignon/latest/userguide/identity-center-customer-managed-keys.md
@@ -23 +23,5 @@ Some AWS managed applications cannot be used with AWS IAM Identity Center config
-  5. Step 5: Configure the KMS key in IAM Identity Center \- **IMPORTANT** : Before proceeding with this step, thoroughly validate all KMS key permissions configured in the previous steps. Once completed, IAM Identity Center will begin using the KMS key for encryption at rest. 
+  5. Step 5: Configure the KMS key in IAM Identity Center \- Enable the customer managed KMS key in your IAM Identity Center instance to use it for encryption at rest. 
+
+###### Important
+
+Before proceeding with this step, thoroughly validate all KMS key permissions configured in the previous steps. Once completed, IAM Identity Center will begin using the KMS key for encryption at rest.
@@ -186,4 +190 @@ Before proceeding with this step:
-Console
-    
-
-**To specify a KMS key when enabling a new organization instance of IAM Identity Center**
+### Specify a KMS key when enabling new organization instance of IAM Identity Center
@@ -199 +200 @@ When enabling a new organization instance of IAM Identity Center, you can specif
-  4. For KMS key, do one of the following:
+  4. For **KMS key** , do one of the following:
@@ -214,9 +215 @@ For more information, see [Enable IAM Identity Center](https://docs.aws.amazon.c
-**To specify a KMS key for an existing organization instance of IAM Identity Center**
-
-  1. Open the IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).
-
-  2. In the navigation pane, choose **Settings**.
-
-  3. On the **Settings** page in the **Encryption** section, choose **Edit**.
-
-  4. For **Encryption type** , choose **Customer managed key**.
+### Change the key configuration for an existing organization instance of IAM Identity Center
@@ -224,7 +217 @@ For more information, see [Enable IAM Identity Center](https://docs.aws.amazon.c
-  5. For **KMS key** , do one of the following:
-
-    1. Choose **Select from your KMS keys** and select the key you created from the dropdown list.
-
-###### Note
-
-Note that the pull-down list will only show the KMS keys you have access to in the same AWS account. Therefore, if you're doing this in the delegated administration account, you will need to specify the ARN of the key from your [AWS Organizations management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#management-account).
+You can change your customer managed KMS key to another key or switch to an AWS owned key at any time.
@@ -232 +219 @@ Note that the pull-down list will only show the KMS keys you have access to in t
-    2. Choose **Enter KMS key ARN** and enter the full ARN of your key.
+Console
@@ -234 +220,0 @@ Note that the pull-down list will only show the KMS keys you have access to in t
-  6. Choose **Save changes**.
@@ -235,0 +222 @@ Note that the pull-down list will only show the KMS keys you have access to in t
+**To change your KMS key configuration**
@@ -236,0 +224 @@ Note that the pull-down list will only show the KMS keys you have access to in t
+  1. Open the IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).
@@ -237,0 +226 @@ Note that the pull-down list will only show the KMS keys you have access to in t
+  2. In the navigation pane, choose **Settings**.
@@ -239 +228 @@ Note that the pull-down list will only show the KMS keys you have access to in t
-AWS CLI
+  3. Choose the **Additional settings** tab.
@@ -240,0 +230 @@ AWS CLI
+  4. Choose **Manage encryption**.
@@ -241,0 +232 @@ AWS CLI
+  5. Choose one of the following:
@@ -243,4 +234 @@ AWS CLI
-    aws ssoadmin update-instance \
-      --configuration KeyType=string,KmsKeyArn=string \
-      --instance-arn string \
-      --name string
+    1. **Customer managed key** \- Select a different customer managed key from the dropdown or enter a new key ARN.
@@ -248 +236 @@ AWS CLI
-**Change your KMS key configuration**
+    2. **AWS owned key** \- Switch to the default encryption option.
@@ -250 +238 @@ AWS CLI
-You can change your customer managed KMS key to another key or switch to an AWS owned key at any time.
+  6. Choose **Save**.
@@ -252 +239,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-**To change your KMS key configuration**
@@ -254 +240,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  1. Open the IAM Identity Center console.
@@ -256 +241,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  2. In the navigation pane, choose Settings.
@@ -258 +243 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  3. Choose the Additional settings tab.
+AWS CLI
@@ -260 +244,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  4. Choose Manage encryption.
@@ -262 +246 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  5. Choose one of the following:
+**To change an existing organization instance of IAM Identity Center to use KMS customer managed key**
@@ -264 +247,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-    1. **Customer managed key** \- Select a different customer managed key from the dropdown or enter a new key ARN.
@@ -266 +249,4 @@ You can change your customer managed KMS key to another key or switch to an AWS
-    2. **AWS owned key** \- Switch to the default encryption option.
+    aws sso-admin update-instance \
+        --instance-arn arn:aws:sso:::instance/ssoins-1234567890abcdef \
+        --encryption-configuration \
+            KeyType=CUSTOMER_MANAGED_KEY,KmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab 
@@ -268 +253,0 @@ You can change your customer managed KMS key to another key or switch to an AWS
-  6. Choose **Save**.
@@ -269,0 +255 @@ You can change your customer managed KMS key to another key or switch to an AWS
+**To change an existing organization instance of IAM Identity Center to use AWS owned key**
@@ -271,0 +258,3 @@ You can change your customer managed KMS key to another key or switch to an AWS
+    aws sso-admin update-instance \
+        --instance-arn arn:aws:sso:::instance/ssoins-1234567890abcdef \
+        --encryption-configuration KeyType=AWS_OWNED_KMS_KEY
@@ -300 +289 @@ Every IAM Identity Center instance has an associated Identity Store that stores
-You can find both the ARN and the Identity Store ID values on the Settings page of your IAM Identity Center. Note that the Identity store ID is in the Identity source tab. 
+You can find both the ARN and the Identity Store ID values on the Settings page of your IAM Identity Center. The Identity store ID is in the Identity source tab.